Muhammad Usama Sardar <[email protected]> writes: >I am asking because to my knowledge, the formal (vs. cryptographic/ >computational) analyses consider that all ECC keys are leaked on the advent >of CRQC and essentially model it as a switch to leak all ECC keys
All ECC keys are leaked *eventually*. Like, by the heat death of the universe. Virtually no-one ever gives any estimate of the time and effort involved in recovering a key via physics experiment because doing so makes things look kinda bad. One of the few figures we have is from the German BSI which estimates 100 days and EUR 4M in electricity to recover a single 2048- bit key on an imagined physics experiment. So a single quantum physics experiment can recover just over three keys a year at a cost of over EUR 12M. In 2017, 7 trillion keys were negotiated for web traffic alone (it's probably a lot higher now). So that leaves 6,999,999,999,997 keys unrecoverable, and that's ignoring the fact that the estimate was for the IFP, which is irrelevant, not the DLP, which is the one of interest for IPsec, TLS, SSH, WireGuard, etc. Peter. _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
